e5f7b0bfca29477bdd6e74bf03afc218554a858b62b84a31c4e20afe3889fef8

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

057a19991bca6e27e015d6b1cd0dfae0.dll
Size

236KB
MD5

057a19991bca6e27e015d6b1cd0dfae0
SHA1

f477531271d767b14521cfbb70a6d45597b9f441
SHA256

e5f7b0bfca29477bdd6e74bf03afc218554a858b62b84a31c4e20afe3889fef8
SHA512

89e88c58049a01942195e62cae2e1dffd5726ae8e4695739fc0878c923e2d984a4d039d25d439aefb39b5ae44d1c9bf1c81b27b17a446787d549fa5d50959dbf
SSDEEP

1536:Iguo2K86vta10RJQYPIHL+D5IWhxRh/Ci4ucg3/+k5ltr+DRPG8Gz7wk+cQvMe:Go256vS0RJAL+lHPKi40+66iwkD0J

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\cmjwpszhu = "{a2929215-2a1a-7f6f-3b2b-2a1a1a9d88cd}"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2764	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pzwjcfmuh.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\pzwjcfmuh.dll	rundll32.exe
File created	C:\Windows\SysWOW64\xherknucp.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\xherknucp.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a2929215-2a1a-7f6f-3b2b-2a1a1a9d88cd}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a2929215-2a1a-7f6f-3b2b-2a1a1a9d88cd}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a2929215-2a1a-7f6f-3b2b-2a1a1a9d88cd}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a2929215-2a1a-7f6f-3b2b-2a1a1a9d88cd}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a2929215-2a1a-7f6f-3b2b-2a1a1a9d88cd}\InprocServer32\ = "C:\\Windows\\SysWow64\\xherknucp.dll"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2764	rundll32.exe
2764	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2764	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 2764	3864	rundll32.exe	14
PID 3864 wrote to memory of 2764	3864	rundll32.exe	14
PID 3864 wrote to memory of 2764	3864	rundll32.exe	14

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\057a19991bca6e27e015d6b1cd0dfae0.dll,#1
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2764

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\057a19991bca6e27e015d6b1cd0dfae0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\pzwjcfmuh.dll

Filesize
180KB

MD5
b72756abd9d07becbbfb883c1eabe32f

SHA1
c7354eaaa2fdb7edc9f97824dbbe1a1a4ec1d94f

SHA256
cb22053849a5793305adeb89e5484805b10ade29c9ff77420d8235018dd84d72

SHA512
afe30c1c492257d644cc76d2fb46a8a7865bc72cf9be07c2d162ba59b2e9be34a97286270dad8ad63a72e20efa99f87fe6e5da06aa3ede1cb5c8806a7ed50526

Download Submit
C:\Windows\SysWOW64\pzwjcfmuh.dll

Filesize
189KB

MD5
4980940f98ed4f1678bfd541b6eb63b9

SHA1
02758b3ef83c74825fa5af667fe8a9358409e18e

SHA256
f8e398da01d842807c87268e18d7bb46e5a27fa98dc5c05241e14fc5f95fe9a4

SHA512
d25afb5931c9fdc6b10db9100007bc92e0fca016bddb3ebf3108f210726540fb5a3b58debb84a4006f54935c12f0e6fd384bce86b229d1212a135e86126534a7

Download Submit
memory/2764-7-0x0000000077A00000-0x0000000077A7A000-memory.dmp

Filesize
488KB

Download
memory/2764-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2764-11-0x0000000077A00000-0x0000000077A7A000-memory.dmp

Filesize
488KB

Download
memory/2764-10-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download